On December 13, 2016, a cryptocurrency investor and a court-appointed receiver filed a class action complaint in the United States District Court for the Southern District of Florida against Coinbase, Inc., the San Francisco-based cryptocurrency exchange, for allegedly aiding and abetting a multi-million dollar fraud committed by now-insolvent cryptocurrency exchange, Cryptsy, and its founder and CEO, Paul “Big Vern” Vernon. Cryptsy was a crypto-to-crypto exchange for investors to buy, sell, or trade in alternative cryptocurrencies. Vernon has been accused of using Cryptsy accounts that he controlled to steal millions of dollars in funds belonging to Cryptsy’s customers. The complaint alleges that, over a three-year period, Vernon stole approximately $8.2 million in customer funds, by 1) transferring Cryptsy’s customers Bitcoins into a Cryptsy “hot” wallet under Vernon’s control, 2) transferring those Bitcoins to Coinbase accounts in the name of Cryptsy and Vernon, 3) using those accounts to convert the stolen funds into U.S. dollars, and 4) depositing the stolen funds into Vernon’s personal bank account. The complaint further alleges that Vernon falsely represented to Coinbase that the withdrawals from the accounts represented either Cryptsy revenues or Bitcoin that Vernon owned personally. Upon learning of the fraud, Plaintiff filed a lawsuit against Cryptsy and Vernon, but shortly thereafter, Vernon withdrew the funds from his bank account, fled to China, and he hasn’t been heard from since. Plaintiffs then filed this lawsuit against Coinbase, asserting that it is liable for the losses sustained by Cryptsy’s customers because Coinbase was a co-conspirator, and aider and abettor, of Cryptsy and Vernon. Plaintiffs also allege that Coinbase failed to properly monitor the Coinbase accounts that were used to launder Cryptsy customers’ money, and ignored its duty to investigate suspicious activities under U.S. anti-money laundering rules and the Bank Secrecy Act.

The investor alleges causes of action against Coinbase under California law on behalf of himself, individually and a class of Cryptsy customers, for 1) aiding and abetting breach of fiduciary duty; 2) aiding and abetting conversion; 3) negligence; and 4) unjust enrichment. The receiver, who, was appointed by another court in the Southern District of Florida to, inter alia, “administer and manage the business affairs, funds, assets, choses in action and any other property of [Cryptsy]; marshal and safeguard all of Cryptsy’s assets; and take whatever actions are necessary for the protection of Cryptsy investors and customers,” alleges similar claims.

Aiding and Abetting

Plaintiffs face an uphill battle in holding Coinbase liable for Vernon’s acts. Aiding and abetting liability generally only exists if the defendant had actual knowledge of the wrongful conduct and gives substantial assistance or encouragement to the wrongdoer to commit the wrongful acts, or if the defendant provided substantial assistance and breached a duty it owed directly to plaintiff. Neilson v. Union Bank of California, N.A., 290 F. Supp. 2d 1101, 1118 (C.D. Cal. 2003). The complaint does not allege any facts demonstrating that Coinbase actually knew of Cryptsy’s and Vernon’s malfeasance. Instead, Plaintiffs allege that Coinbase should have known of Cryptsy’s and Vernon’s alleged breach of fiduciary duty and conversion because it “could not have reasonably believed that CRYPTSY was conducting nearly $1,700,000,000.00 USD in cryptocurrency exchange trading business over the stated time period” (Compl., ¶ 57), and “[h]ad COINBASE even cursorily audited or reviewed the blockchain history of the Bitcoin deposited into VERNON’s COINBASE account, it would have been open and obvious to COINBASE that VERNON’s statements were completely without merit.” Compl., ¶ 64. Allegations of constructive knowledge are insufficient to state a claim for aiding and abetting. Casey v. U.S. Bank Nat'l Ass'n, 127 Cal. App. 4th 1138, 1148 (2005) (plaintiffs failed to state a claim against bank for aiding and abetting absent allegations of actual knowledge, even if “the complaint provides ample details of the banks' improper conduct in their business dealings with the unscrupulous DFJ Fiduciaries”).

Plaintiffs will also be hard-pressed to identify a duty owed directly to them by Coinbase, as they were merely investors in a company that maintained accounts at Coinbase. See, e.g., McCann v. Lucky Money, Inc., 129 Cal. App. 4th 1382, 1398 (2005) (concluding that foreign currency exchange was not subject to fiduciary duties; “[g]enerally, there is no fiduciary owed duty in a purely commercial situation.”).

Plaintiffs further allege that Coinbase was a co-conspirator of Cryptsy and Vernon, but again, do not allege sufficient facts to support that claim. “To assert a claim for civil conspiracy, a plaintiff must show: ‘(1) formation of the conspiracy (an agreement to commit wrongful acts); (2) operation of the conspiracy (commission of the wrongful acts); and (3) damage resulting from operation of the conspiracy.’” Multifamily Captive Grp., LLC v. Assurance Risk Managers, Inc., 629 F. Supp. 2d 1135, 1146 (E.D. Cal. 2009) (citations omitted). Here, as discussed above, Plaintiffs fail to allege that Coinbase actually knew that Cryptsy and Vernon were planning to steal their customers’ cryptocurrency, let alone any agreement by Coinbase to the scheme.

Negligence

Plaintiffs will have a hard time prevailing on their negligence claim because, regardless of whether or not Coinbase owed a duty towards Plaintiffs, they likely will be unable to allege that Coinbase was not the proximate cause of their loss. “The elements of a cause of action for negligence are (1) a legal duty to use reasonable care, (2) breach of that duty, and (3) proximate [or legal] cause between the breach and (4) the plaintiff's injury.” Vincent v. Wells Fargo Bank, No. CV F 09-1825 LJO DLB, 2009 WL 4039681, at *2 (E.D. Cal. Nov. 18, 2009) (citations omitted).

“Generally, there is no duty to prevent economic loss to third parties in negligence actions at common law.” Cisco Sys., Inc. v. STMicroelectronics, Inc., 77 F. Supp. 3d 887, 895 (N.D. Cal. 2014). As an exception to the economic loss rule, courts have found a duty to exist if there is a special relationship between plaintiff and defendant based upon “the balancing of various factors, among which are the extent to which the transaction was intended to affect the plaintiff, the foreseeability of harm to him, the degree of certainty that the plaintiff suffered injury, the closeness of the connection between the defendant's conduct and the injury suffered, the moral blame attached to the defendant's conduct, and the policy of preventing future harm.” Biakanja v. Irving, 49 Cal. 2d 647, 650 (1958). Courts also look at “the extent of the burden to the defendant and consequences to the community of imposing a duty to exercise care with resulting liability for breach, and the availability, cost, and prevalence of insurance for the risk involved.” Rowland v. Christian, 69 Cal. 2d 108, 113, 443 P.2d 561, 564 (1968).

Here, the Biakanja-Rowland factors are divided, with the following factors weighing against the finding of any duty: (1) the extent to which the transaction was intended to affect the plaintiff; (2) moral blame; (3) the policy of preventing future harm; and (4) the burden to the defendant and consequences to the community.

First, Plaintiffs allege that Cryptsy and Vernon informed Coinbase that they intended to use their Coinbase accounts to liquidate Bitcoins collected as exchange fees (Compl., ¶ 46), but do not allege that Coinbase had any knowledge that the accounts were set up to liquidate Bitcoins belonging to Cryptsy customers.

Second, there are no allegations indicating that Coinbase is morally to blame for Vernon’s alleged theft and Plaintiffs’ losses. See C.A. v. William S. Hart Union High Sch. Dist., 53 Cal. 4th 861, 878 (2012) (“Unless the individual alleged to be negligent in a hiring or retention decision knew or should have known of the dangerous propensities of the employee who injured the plaintiff, there is little or no moral blame attached to the person's action or inaction. And unless the employee's propensities posed a substantial risk of personal injury to the plaintiff or others in the same circumstances, there is again little moral blame to assign.”). Plaintiffs have not alleged that Coinbase actually knew of the malfeasance and, although Plaintiffs assert that Coinbase had constructive knowledge, Plaintiffs fail to provide minimal facts to support this assertion. Moreover, Coinbase was not an active participant in the theft. Burns v. Neiman Marcus Grp., Inc., 173 Cal. App. 4th 479, 490 (2009) (“There is no allegation that Neiman Marcus actively participated in Young's alleged embezzlement of funds from plaintiff”).

Third, the additional burden on Coinbase, above its existing legal obligations, would be great and the imposition of tort liability in this circumstance could stifle virtual currency transactions. Federal and state law already regulate when Coinbase must make suspicious activity reports. Here, allowing a claim to proceed based on Plaintiffs’ allegations would effectively require Coinbase (and other virtual currency exchanges) to monitor, investigate, and report on all transactions involving virtual currencies, an obligation that is far beyond those required by law.

The foreseeability factors (foreseeability of harm, certainty of injury, and closeness of connection between defendant’s conduct (or lack thereof) and the injury) weigh in favor of imposing a duty on Coinbase, as it is foreseeable that theft and money laundering could occur through a currency exchange business, as Plaintiffs did suffer a loss of their Bitcoins, and as Plaintiffs’ loss would not have likely occurred had Coinbase been more vigilant by monitoring its accounts and investigating irregular and excessive activities. Huang v. Bicycle Casino, Inc., 208 Cal. Rptr. 3d 591, 600–01 (Ct. App. 2016) (Foreeseability “is not to decide whether a particular plaintiff's injury was reasonably foreseeable in light of a particular defendant's conduct.... [Instead, we must] evaluate more generally whether the category of negligent conduct at issue is sufficiently likely to result in the kind of harm experienced that liability may appropriately be imposed [on the negligent party]. Foreseeability involves three considerations: the [general] foreseeability of harm to the plaintiff, the degree of certainty that the plaintiff suffered injury, [and] the closeness of the connection between the defendant's conduct and the injury suffered.” (internal citations and quotations omitted)).

Additionally, imposing tort liability upon Coinbase could serve the policy of preventing future harm. Although Coinbase is already subject to federal and state laws regulating money transmitters and exchanges that, among other things, require the reporting of suspicious activities, it is possible that Coinbase would be more vigilant if it was held liable for Plaintiffs’ losses.

Without additional facts it is unclear how the final factor (prevalence of insurance for the risk involved) would affect the Biakanja-Rowland analysis, because, although Coinbase undoubtedly has insurance as a licensed money transmitter/exchange, it is unknown whether that insurance would cover the loss claimed by Plaintiffs.

Regardless of whether Plaintiffs can succeed on the duty element of negligence, it is likely that the court would conclude that Coinbase was the not the proximate cause of their injuries. To “demonstrate actual or legal causation, the plaintiff must show that the defendant's act or omission was a ‘substantial factor’ in bringing about the injury.” Saelzler v. Advanced Grp. 400, 25 Cal. 4th 763, 774, 23 P.3d 1143, 1150 (2001). Here, Plaintiffs allege that it was not until October 2015 that the media reported that Cryptsy was being investigated by government agencies (Compl., ¶ 108), at which point Coinbase closed Cryptsy’s and Vernon’s accounts (Compl., ¶ 110). Plaintiffs also allege that Cryptsy told Coinbase that its account was a “byproduct of the 0.3% transaction fee CRYPTSY assessed its customers” (Compl., ¶ 55), but do not allege when this disclosure was made. Plaintiffs also allege that “[h]ad COINBASE even cursorily audited or reviewed the blockchain history of the Bitcoin deposited into VERNON’s COINBASE account, it would have been open and obvious to COINBASE that VERNON’s statements [that the Bitcoins were derived through his personal mining efforts] were completely without merit” (Compl., ¶¶ 61, 64), but do not allege any facts to suspect Vernon’s statements were false. See Karen Kane, Inc. v. Bank of Am., 67 Cal. App. 4th 1192, 1198 (1998) (“we do not believe that volume or amount of the checks was sufficient to inform respondents of the possibility of improper activity at Karen Kane”). Thus, without additional facts, Coinbase’s alleged negligent failure was not a substantial factor in causing Plaintiffs’ injury as Coinbase would not have been on constructive notice of possible theft by Vernon until October 2015, by which point Plaintiffs had already suffered their losses.

Unjust Enrichment

The standalone claim for unjust enrichment is likely to fail, as unjust enrichment is not a cause of action under California law, but a remedy. Jogani v. Superior Court, 165 Cal. App. 4th 901, 911 (2008) (Unjust enrichment is not a cause of action but "a general principle underlying various doctrine and remedies."); Levine v. Blue Shield of California, 189 Cal. App. 4th 1117, 1138 (2010) (Unjust enrichment "is synonymous with restitution."); Melchoir v. New Line Productions, Inc., 106 Cal. App. 4th 779, 793 (2003) (affirming summary judgment on claim for unjust enrichment because there is no cause of action for unjust enrichment).

******

In sum, it is going to be very difficult for Plaintiffs to avoid the dismissal of their complaint based on the current allegations. As of this writing, Coinbase has yet to respond to the complaint. Further updates will be provided once a response is filed.

While ENS cyber-squatting is most likely actionable under the same laws that protect domain names in DNS registration, ENS’s decentralized nature and Ethereum wallet addresses’ pseudonymity will inhibit the legal system’s effectiveness and possibly hinder the tech’s mainstream adoption.